Main menu

Tor Browser 7.0.7 is released

This release updates Firefox to 52.4.1esr, HTTPS-Everywhere to 2017.10.4 and NoScript to 5.1.2. On Linux the content sandboxing is now enabled. This release is also fixing some crashes and adding a donation banner starting on Oct 23 in order to point to our end-of-the-year 2017 donation campaign.

This new version 7.0.7 and the previous version - which i think was the immediate preceding release version of TBB - cause the windows crash alert when shutdown by clicking the "X" in upper right (right end of titlebar). Commented previously, in https://blog.torproject.org/comment/271794#comment-271794

I am using a fresh install from the exe (the previous version).
I have hardly used TBB since.
However, I haven't left TBB exactly as installed. I've added no bookmarks, but I am using a custom userchrome.css and have used firefox's normal Customize GUI. I've chosen max security in TBB slider, then changed a few settings in noscript, and allowed history in Firefox options.

Hard to say. But you could try. I asked the Tails folks a while ago to test 7.5a5 in particular as it contained the sandboxing enabled which 7.0.7 has now as well. I have not heard back from any issues so far (but am not sure either whether they actually tested the content sandboxing in a Tails context).

by reading this
"First, a warning: The sandboxing isn't very strong yet, especially for the threats that Tor Browser deals with: it still allows reading any file and doing arbitrary socket and connect calls, for example, so there's probably a way for a determined attacker to get a generic sandbox escape, and it definitely allows obtaining PII such as MAC addresses."https://trac.torproject.org/projects/tor/ticket/22692

So all those years we thought Torbrowser was a solid privacy option, we were wrong because we are leaving our mac address everywhere?!
People are using standard browsers as well and a lot of tracking companies will probably have our mac addresses for use and sale.
So everyone that buys a database of mac addresses can compare this with Torbrowser web statistics to deanonymise Torbrowser users?

The MAC address can only be seen from the local network. A website cannot get your MAC address, even in standard browsers, so I don't think tracking companies have databases of the MAC addresses of people who visited some websites. What is possible to do is a database of people who connected to a particular wifi network.

The warning you are quoting explains that in case of a vulnerability in the browser, the sandbox is not protecting access to the MAC addresses (and other things), so it still needs improvements to be able to protect anonymity in the case of someone exploiting an unknown vulnerability.

it should be better set "false" and security.tls.version.min=3 (force TLS 1.2 & disables TLS 1.0 and TLS 1.1) , network.IDN_show_punycode;true. If you (additionally) want to force the usage of PFS, the only enabled ciphers should be of the ecdhe/dhe variants : security.ssl3.rsa_aes_256_sha=false. Enabling weakest ciphers is obsolete since 3 years and still present in Tor_october 2017.

Users must avoid unsecure/intrusive service which gmail, brand cloud, fun app & exotic site not because they are bad (i am speaking about the persons who are behind) ; but because the users are running Tor and/or debian/linux system(s). Do not use a linux o.s if you post with gmail : you lost & spoil all your advantages replacing by the worst inconvenient : a big incoherence.
All these services are built for a perfect transparency (not for yourself of course) running on microsoft/apple for the consumers (retarded & handicapped first) providing a great support (not free). These weaks ciphers are for microsoft users : just a minimal setting.

If it is true that running Tor on microsoft/apple is the first step for obtaining a minimal privacy ;
security in mind, anonymity, privacy, foss should have to be understood as a whole concept for a safe internet & personal usage not because it is geek, modern, fun ... it is at the opposite of the idea to be a consumer with a number labeled on your identity ... but because it is the only way to become the owner of his/her own private life and , following the same movement , re-appropriate for oneself his/her own e-space. If you are not involved (or do not wanted to be) in this choice _ it is not an obligation_ do not use debian/linux & harden tweaks.

I should prefer a hardened update version for linux users & the owners of site should have to update their configuration.

Hello. I too have been experiencing the same problem: I installed Tor Browser 6.5.2, went into
Tools->Options->Advanced->Update
and selected EITHER of these options:
Check for updates, but let me choose whether to install them
Never check for updates (not recommended: security risk)
In either case, after using Tor Browser for 30-60 minutes, after exiting it, I would find that on the next relaunch, it will have updated itself contrary to the settings above.

I know this problem did not exist in 5.5.5; must have appeared somewhere between 6.0.0 and 6.5.2. Please fix, this is very annoying.

The 7.0.x versions that i'm forced to update to have broken functionality: they do not let me save web pages properly!!!

Have you filed a bug for the broken functionality somewhere? Staying on an old version without any security updates is not a good solution? Have you tested that 7.0.7 is still broken for your use case?

Just upgraded to TB 7.0.7, and can hardly open pages I traditionally opened in older versions. The few pages that open, do it after a very long time spinning. What gives? Going back to older versions is not an option, and not using TB is not an option either. Any TB developers reading this? Thanks.

How access gmail and Google Drive with Tor Browser?
I used the firefox add-on "Export Import Cookies" to import cookies and logs into email accounts like gmail and yahoo with Tor Browser 6.5 successfully, but that does not work in Tor Browser 7.07. Using Tor Browser 7.07, although cookies are imported, websites behave as if cookies do not exist and I can not get into my email accounts. I can not use a phone number to login because that breaks my anonymity. I need to import some cookies to enter the email accounts using different IPs because without those cookies the security of the email prevents the login if the IP is not the same used in the creation of the account. I do not understand why cookies are successfully imported by the "Export Import Cookies" but Tor Browser and the sites behave as if cookies were never imported. I can see imported cookies in "preferences> privacy> Show Cookies," but the sites can not find them. I tested the same add-on on firefox-esr 52.4.1, which is the basis of Tor Browser 7.07, and I was able to import cookies and log in to email accounts normally. Can anyone tell me how to import cookies using Tor Browser 7.0.7? Does anyone have any other ideas on how to access yahoo and gmail email accounts using Tor Browser? Tor Browser should support an add-on to export and import cookies.

Just upgraded to TB 7.0.7, and can hardly open pages I traditionally opened in older versions. The few pages that open, do it after a very long time spinning. What gives? Going back to older versions is not an option, and not using TB is not an option either. Any TB developers reading this? Thanks.

Why does Tor Browser always cause my ZoneAlarm firewall to report that Tor Browser is trying to communicate with explorer.exe? It does this twice, every time I start Tor Browser, even though I tell ZoneAlarm to remember the setting to deny access.

This seems very suspect to me, and has been going on for some time now.

Then, when I opened this new instance of Tor Browser, it again made two attempts to access explorer.exe, as indicated by ZoneAlarm firewall. I denied permission, twice, and the browser opened normally.

10/24/2017 5:06:38 AM.600 [WARN] Received directory with skewed time (DIRSERV:193.23.244.244:443): It seems that our clock is ahead by 1 hours, 57 minutes, or that theirs is behind. Tor requires an accurate clock to work: please check your time, timezone, and date settings.

My clock appears to show the correct time for my time zone. Haven't had any problems with that at all. It is set to synchronize automatically with the naval observatory time server.

What could be causing Tor Browser to report a severe clock skew problem? This did not use to happen, until fairly recently.

Once Tor Browser is up and running, it seems to function normally. But that could just be an illusion. What is going on beneath the surface could be a different story.

I have not noticed this issue with Firefox, which I have highly customized to tighten up security, to approximate that of Tor Browser. I get test scores comparable to Tor Browser when I test using Panopticlick and ip-check.info, though I know they don't tell the whole story.

I had previously placed the Tor Browser folder in my C:\Program Files (x86) folder, to get it off my desktop.

Later, after experiencing this issue, and thinking this might be a problem, I tried putting a fresh installation of Tor Browser back on my desktop, the default location where the installer wants to put it.

Tor Browser is trying to open an existing process.
ZoneAlarm is asking you whether to allow this behavior. Your computer is safe.

What should I do?

If Tor Browser needs to open an existing process in order to function correctly and you know what this program is, then give it permission. If it does not need to open a process, or you know that a process should not be opened, then deny it. If you are unsure, you can always deny it from opening a process and run the program again if it is required.

Why?

Tor Browser is potentially malicious. This is particularly true if opening an existing process will load malicious programs and/or utilize an excessive amount of CPU time, memory, and other resources.

Alert property Alert property value Technical explanation
Program Name Tor Browser A program running on your computer, which attempted an action that was detected by the OSFirewall.
Filename firefox.exe The filename of the program that ZoneAlarm found on your computer.
Program Version 52.4.1 The version of Tor Browser running on your computer.
Program Size 337920 The size of the program executable file in bytes.
Program MD5 946fd9704dcddf0041eecb2beb28e342 The MD5 hash, or number, that uniquely identifies the executable.
Smart Checksum 4eadd97966ec4a78d2271d214f0d9272 The SKIMP hash, or number, that uniquely identifies the executable.
Date Modified Dec-31-1999 05:00:00 PM The date when firefox.exe was most recently modified.
Event Type Process The event involved starting or terminating a thread or process.
Sub Event Type OpenProcess Tor Browser attempted to open another process.
Command Line C:\Windows\Explorer.EXE The command being used to open another process.